Re: NFSv4: is KRB needed???

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Damir Dezeljin wrote:
I guess that the problem is related to KRB (Kerberos-5). My authentication
backend is OpenLDAP. I don't want to change.
Do I really need KRB to use NFSv4? If yes ... is it posible to use data
from OpenLDAP for KRB?

I can't answer your first question.

As for your second qestion, getting Kerberos and OpenLDAP to work together is simple.

There's apperently two ways of doing it.

First approach is to let Kerberos handle authentication, and use LDAP for everything else. Using this approach, you can use either Kerberos or LDAP to check passwords (in later case, LDAP server will check password against Kerberos for you). Check this page for some hints:

   http://www.ofb.net/~jheiss/krbldap/howto.html

In short (plus some hints not present on that page), you setup Kerberos as usual, define users (now called principals) and so on. I will assume that you have setup /etc/krb5.conf and placed key for host/hostname.yourdomain.com@xxxxxxxxxxxxxxxxxx into /etc/krb5.keytab file as part of this setup on your LDAP server.

On your OpenLDAP server, create file /usr/lib/sasl2/slapd.conf, and place single line in it:

pwcheck_method: saslauthd

(or you can simply copy existing Sendmail.conf file).

Edit /etc/sysconfig/saslauthd file and make sure this two are defined as follows:

MECH=kerberos5
FLAGS=-r

Enable saslauthd and start it:

# chkconfig saslauthd on
# /etc/init.d/saslauthd start

Then in your LDAP database, instead of placing passwords in userPassword attribute, you place something like this (note that by convention, realm names should always be uppercase, and rembmer that Kerberos names are case sensitive):

userPassword: {SASL}username@xxxxxxxxxxxxxxxxxx

When slapd encounters this in userPassword attribute, it will connect to saslauthd, and saslauthd will check the password against your Kerberos realm (based on the config from /etc/krb5.conf). If using MIT implementation, you must have key for host/hostname.yourdomain.com@xxxxxxxxxxxxxxxxxx principal in /etc/krb5.keytab file (this file should be readable only by root).

You can also define ldap principal (ldap/hostname.yourdomain.com@xxxxxxxxxxxxxxxxxx), place key for it in /etc/openldap/ldap.key on your LDAP server (make the file readable only by ldap user), and place "KRB5_KTNAME=/etc/openldap/ldap.keytab" in /etc/sysconfig/ldap.

It is also possible to go the other way around, and use OpenLDAP as store for Kerberos (you'll need krb5-kdc.schema included in your slapd.conf file). I've never done that, but a bit searching on the web should help you.

--
Aleksandar Milivojevic <amilivojevic@xxxxxx>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux